renpy-build
renpy-build copied to clipboard
Published
20 hours ago •
renpy
renpy
sysroot: apply security updates after debootstrap
Apply security updates after debootstrap is complete, as debootstrap can only use one repository when creating chroot.
Does this accomplish anything? Ren'Py should be compiling everything it doesn't dynamically link against itself. So I'm not clear what this will improve.
Does this accomplish anything? Ren'Py should be compiling everything it doesn't dynamically link against itself. So I'm not clear what this will improve.
Mainly applying security updates for glibc and other important packages.
For example, apt will upgrade these packages:
Details
The following packages will be REMOVED:
libgles1-mesa-dev
The following NEW packages will be installed:
libcapnp-0.5.3 libdrm-common libicu55 libllvm6.0 libmircommon7 libmircore-dev libmircore1
libsensors4 libwayland-bin libxml2 libzstd1 sgml-base xml-core
The following packages will be upgraded:
apt base-files bash binutils bsdutils bzip2 coreutils cpp-5 debconf dh-python dpkg dpkg-dev
e2fslibs e2fsprogs fcitx-bin fcitx-libs-dev fontconfig fontconfig-config g++-5 gcc-5
gcc-5-base gir1.2-ibus-1.0 gnupg gpgv grep init init-system-helpers libapparmor1
libapt-pkg5.0 libasan2 libatomic1 libaudiofile-dev libaudiofile1 libaudit-common libaudit1
libblkid1 libboost-filesystem1.58.0 libboost-system1.58.0 libbsd0 libbz2-1.0 libc-bin
libc-dev-bin libc6 libc6-dev libcc1-0 libcilkrts5 libcomerr2 libcryptsetup4 libdb5.3
libdbus-1-3 libdbus-1-dev libdpkg-perl libdrm-amdgpu1 libdrm-dev libdrm-intel1
libdrm-nouveau2 libdrm-radeon1 libdrm2 libegl1-mesa libegl1-mesa-dev libelf1 libexpat1
libfcitx-config4 libfcitx-core0 libfcitx-gclient0 libfcitx-qt0 libfcitx-utils0 libfdisk1
libfontconfig1 libfreetype6 libgbm1 libgcc-5-dev libgcrypt20 libgettextpo0 libgl1-mesa-dev
libgl1-mesa-dri libgl1-mesa-glx libglapi-mesa libgles1-mesa libgles2-mesa libgles2-mesa-dev
libglib2.0-0 libglib2.0-bin libglib2.0-data libglib2.0-dev libgomp1 libibus-1.0-5
libibus-1.0-dev libitm1 libjpeg-turbo8 libjson-c2 libkmod2 liblcms2-2 libllvm3.8 liblsan0
libmirclient-dev libmirclient9 libmircommon-dev libmircookie-dev libmircookie2
libmirprotobuf3 libmount1 libmpx0 libnettle6 libpam-modules libpam-modules-bin
libpam-runtime libpam0g libperl5.22 libpng12-0 libprocps4 libpulse-dev
libpulse-mainloop-glib0 libpulse0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib
libpython3.5-minimal libpython3.5-stdlib libquadmath0 libseccomp2 libsmartcols1 libsndfile1
libsqlite3-0 libss2 libssl1.0.0 libstdc++-5-dev libstdc++6 libsystemd0 libtiff5 libtsan0
libubsan0 libudev-dev libudev1 libuuid1 libvorbis0a libvorbisenc2 libwayland-client0
libwayland-cursor0 libwayland-dev libwayland-egl1-mesa libwayland-server0 libx11-6
libx11-data libx11-dev libx11-xcb-dev libx11-xcb1 libxcursor-dev libxcursor1
libxkbcommon-dev libxkbcommon0 linux-libc-dev locales login lsb-base makedev
mesa-common-dev mount multiarch-support passwd patch perl perl-base perl-modules-5.22
procps python python-minimal python2.7 python2.7-minimal python3.5 python3.5-minimal
sensible-utils systemd systemd-sysv tar tzdata ubuntu-keyring util-linux x11-common
x11proto-core-dev zlib1g zlib1g-dev
And for glibc from 2.23-0ubuntu3 to 2.23-0ubuntu11.3, fixed the following security vulnerabilities:
Details
glibc (2.23-0ubuntu11.3) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via regular expression
- debian/patches/CVE-2009-5155.patch: diagnose invalid back-reference
in posix/regcomp.c, remove invalid test in posix/PCRE.tests.
- CVE-2009-5155
* SECURITY UPDATE: signed comparison vulnerability exists in ARM memcpy
- debian/patches/CVE-2020-6096-1.patch: fix multiarch memcpy for
negative length in sysdeps/arm/armv7/multiarch/memcpy_impl.S.
- debian/patches/CVE-2020-6096-2.patch: fix memcpy and memmove for
negative length in sysdeps/arm/memcpy.S, sysdeps/arm/memmove.S.
- CVE-2020-6096
-- Marc Deslauriers <[email protected]> Tue, 20 Apr 2021 14:52:26 -0400
glibc (2.23-0ubuntu11.2) xenial-security; urgency=medium
* SECURITY UPDATE: Use-after-free in clntudp_call
- debian/patches/CVE-2017-12133.patch: avoid use-after-free read access
in sunrpc/Makefile, sunrpc/clnt_udp.c, sunrpc/tst-udp-error.c.
- CVE-2017-12133
* SECURITY UPDATE: overlap in SSE2-optimized memmove implementation
- debian/patches/CVE-2017-18269.patch: fixed branch conditions in
string/test-memmove.c,
sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S.
- CVE-2017-18269
* SECURITY UPDATE: integer overflow in posix_memalign
- debian/patches/CVE-2018-6485.patch: fix integer overflows in internal
memalign and malloc in malloc/Makefile, malloc/malloc.c,
malloc/tst-malloc-too-large.c.
- CVE-2018-6485
* SECURITY UPDATE: integer overflow in realpath
- debian/patches/any/CVE-2018-11236.patch: fix path length overflow in
realpath in stdlib/Makefile, stdlib/canonicalize.c,
stdlib/test-bz22786.c.
- CVE-2018-11236
* SECURITY UPDATE: buffer overflow in __mempcpy_avx512_no_vzeroupper
- debian/patches/any/CVE-2018-11237.patch: don't write beyond
destination in string/test-mempcpy.c,
sysdeps/x86_64/multiarch/memcpy-avx512-no-vzeroupper.S.
- CVE-2018-11237
* SECURITY UPDATE: heap over-read via regular-expression match
- debian/patches/any/CVE-2019-9169.patch: fix read overrun in
posix/regexec.c.
- CVE-2019-9169
* SECURITY UPDATE: ASLR bypass
- debian/patches/any/CVE-2019-19126.patch: check __libc_enable_secure
before honoring LD_PREFER_MAP_32BIT_EXEC in
sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h.
- CVE-2019-19126
* SECURITY UPDATE: out-of-bounds write on PowerPC
- debian/patches/any/CVE-2020-1751.patch: fix array overflow in
backtrace on PowerPC in debug/tst-backtrace5.c,
sysdeps/powerpc/powerpc32/backtrace.c,
sysdeps/powerpc/powerpc64/backtrace.c.
- CVE-2020-1751
* SECURITY UPDATE: use-after-free via tilde expansion
- debian/patches/any/CVE-2020-1752.patch: fix use-after-free in glob
when expanding ~user in posix/glob.c.
- CVE-2020-1752
* SECURITY UPDATE: stack overflow via 80-bit long double function
- debian/patches/any/CVE-2020-10029.patch: avoid ldbl-96 stack
corruption from range reduction of pseudo-zero in
sysdeps/ieee754/ldbl-96/e_rem_pio2l.c,
- CVE-2020-10029
-- Marc Deslauriers <[email protected]> Thu, 04 Jun 2020 13:56:35 -0400
glibc (2.23-0ubuntu11) xenial; urgency=medium
* debian/patches/ubuntu/xsave-part1.diff and
debian/patches/ubuntu/xsave-part2.diff: Fix a serious performance
regression when mixing SSE and AVX code on certain processors.
The patches are from the upstream 2.23 stable branch. (LP: #1663280)
-- Daniel Axtens <[email protected]> Thu, 04 Oct 2018 10:29:55 +1000
glibc (2.23-0ubuntu10) xenial-security; urgency=medium
* SECURITY UPDATE: Memory leak in dynamic loader (ld.so)
- debian/patches/any/cvs-compute-correct-array-size-in-_dl_init_paths.diff:
Compute correct array size in _dl_init_paths
- CVE-2017-1000408
* SECURITY UPDATE: Buffer overflow in dynamic loader (ld.so)
- debian/patches/any/cvs-count-components-of-expanded-path-in-_dl_init_paths.diff:
Count components of the expanded path in _dl_init_path
- CVE-2017-1000409
* SECURITY UPDATE: One-byte overflow in glob
- debian/patches/any/cvs-fix-one-byte-glob-overflow.diff: Fix one-byte
overflow in glob
- CVE-2017-15670
* SECURITY UPDATE: Buffer overflow in glob
- debian/patches/any/cvs-fix-glob-buffer-overflow.diff: Fix buffer overflow
during GLOB_TILDE unescaping
- CVE-2017-15804
* SECURITY UPDATE: Local privilege escalation via mishandled RPATH / RUNPATH
- debian/patches/any/cvs-elf-check-for-empty-tokens.diff: elf: Check for
empty tokens before dynamic string token expansion
- CVE-2017-16997
* SECURITY UPDATE: Buffer underflow in realpath()
- debian/patches/any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff:
Make getcwd(3) fail if it cannot obtain an absolute path
- CVE-2018-1000001
-- Chris Coulson <[email protected]> Sun, 14 Jan 2018 20:06:26 +0000
glibc (2.23-0ubuntu9) xenial-security; urgency=medium
* SECURITY UPDATE: LD_LIBRARY_PATH stack corruption
- debian/patches/any/CVE-2017-1000366.patch: Completely ignore
LD_LIBRARY_PATH for AT_SECURE=1 programs
- CVE-2017-1000366
* SECURITY UPDATE: LD_PRELOAD stack corruption
- debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch:
Reject overly long names or names containing directories in
LD_PRELOAD for AT_SECURE=1 programs.
* debian/patches/any/cvs-harden-glibc-malloc-metadata.patch: add
additional consistency check for 1-byte overflows
* debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch: ignore
LD_HWCAP_MASK for AT_SECURE=1 programs
-- Steve Beattie <[email protected]> Fri, 16 Jun 2017 12:04:15 -0700
glibc (2.23-0ubuntu7) xenial-security; urgency=medium
* REGRESSION UPDATE: Previous update introduced ABI breakage in
internal glibc query ABI
- Revert patches/any/CVE-2015-5180-regression.diff
(LP: #1674532)
-- Steve Beattie <[email protected]> Tue, 21 Mar 2017 08:54:23 -0700
glibc (2.23-0ubuntu6) xenial-security; urgency=medium
* SECURITY UPDATE: DNS resolver NULL pointer dereference with
crafted record type
- patches/any/CVE-2015-5180.diff: use out of band signaling for
internal queries
- CVE-2015-5180
* Rebuild to get the following fixes into the xenial-security pocket:
- SECURITY UPDATE: stack-based buffer overflow in the glob
implementation
+ patches/git-updates.diff: Simplify the interface for the
GLOB_ALTDIRFUNC callback gl_readdir
+ CVE-2016-1234
- SECURITY UPDATE: getaddrinfo: stack overflow in hostent
conversion
+ patches/git-updates.diff: Use a heap allocation instead
+ CVE-2016-3706:
- SECURITY UPDATE: stack exhaustion in clntudp_call
+ patches/git-updates.diff: Use malloc/free for the error
payload.
+ CVE-2016-4429
- SECURITY UPDATE: memory exhaustion DoS in libresolv
+ patches/git-updates.diff: Simplify handling of nameserver
configuration in resolver
+ CVE-2016-5417
- SECURITY UPDATE: ARM32 backtrace infinite loop (DoS)
+ patches/git-updates.diff: mark __startcontext as .cantunwind
+ CVE-2016-6323
-- Steve Beattie <[email protected]> Mon, 06 Mar 2017 16:47:32 -0800
glibc (2.23-0ubuntu5) xenial; urgency=medium
* Disable lock-elision on all targets to avoid regressions (LP: #1642390)
-- Adam Conrad <[email protected]> Wed, 16 Nov 2016 13:53:50 -0700
glibc (2.23-0ubuntu4) xenial; urgency=medium
* debian/rules.d/tarball.mk: Apply --no-renames to make the diff readable.
* debian/patches/git-updates.diff: Update from release/2.23/master branch:
- Include fix for potential makecontext() hang on ARMv7 (CVE-2016-6323)
- Include fix for SEGV in sock_eq with nss_hesiod module (LP: #1571456)
- Include malloc fixes, addressing multithread deadlocks (LP: #1630302)
- debian/patches/hurd-i386/cvs-libpthread.so.diff: Dropped, upstreamed.
- debian/patches/any/submitted-argp-attribute.diff: Dropped, upstreamed.
- debian/patches/hurd-i386/tg-hurdsig-fixes-2.diff: Rebased to upstream.
* debian/patches/ubuntu/local-altlocaledir.diff: Updated to latest version
from Martin that limits scope to LC_MESSAGES, fixing segv (LP: #1577460)
* debian/patches/any/cvs-cos-precision.diff: Fix cos() bugs (LP: #1614966)
* debian/testsuite-xfail-debian.mk: Allow nptl/tst-signal6 to fail on ARM.
-- Adam Conrad <[email protected]> Fri, 14 Oct 2016 00:00:34 -0600
Sure, but we're never actually running those packages - just dynamically linking against them.